Proton Mail suspended journalist accounts at request of cybersecurity agency

Original Article ↗ Hacker News Discussion ↗

Expectations of Privacy vs. Reality of Control

  • Many assumed Proton couldn’t meaningfully act on specific accounts due to strong privacy; comments point out they can:
    • Disable or delete accounts and block incoming mail without knowing the owner’s real identity.
    • Potentially push targeted client-side code (JS) to specific users, since Proton controls the clients and backend.
  • Some note the clients and bridge are open source, so in theory users can audit and run their own builds, but others stress this doesn’t prevent targeted JS injection or server-side abuse.
  • IP-based anti-abuse measures (linking multiple signups from one IP) are seen as undermining privacy and enabling collateral damage on shared IPs.

CERT Requests, Law, and Proton’s Response

  • Core dispute: Proton disabled accounts after a complaint from a foreign CERT (likely KrCERT), which has no direct legal authority in Switzerland.
  • Some argue Proton should only act on court orders from its own jurisdiction; others say most CERT reports are legitimate and should trigger action, but only after manual checks, especially when journalists or security research are obviously involved.
  • One commenter notes that hacking remains illegal even against “adversary” states and violates Proton’s ToS; from this view Proton was obliged to respond once alerted.

Incident Handling, Communication, and Trust

  • Timeline criticism:
    • Journalists’ accounts were suspended; appeals via normal channels were reportedly denied.
    • Proton allegedly ignored early private outreach and only reinstated accounts after social media backlash.
    • Proton’s public statement (quoted from Reddit) claims only two legal emails were received, with an “unrealistic” 48‑hour weekend deadline, and says two accounts were reinstated while others had “clear ToS violations.”
  • Several see this as a pattern: slow, opaque response, perceived minimization, and “cover-up” damaging trust more than the initial mistake.
  • Others defend Proton, suggest the outrage is disproportionate or brigaded, and argue it still compares favorably to big US providers.

Broader Concerns: Power, Influence, and Alternatives

  • Worry that only users with significant social media reach can get wrongful suspensions fixed; “nobodies” may have no recourse.
  • Multiple users report technical or UX issues (Bridge complexity, bugs, missing features, billing confusion) and Proton’s account-deletion policy for inactive free accounts as further trust-erosion.
  • Many discuss moving to alternatives (Fastmail, Tuta, Posteo, Migadu, mailbox.org, Runbox, Zoho, self-hosting), while noting trade-offs (no E2EE, IP reputation, spam, legal exposure).
  • Several conclude email is inherently bad for high-risk secrecy; recommend Signal, Matrix, or other end-to-end, more “technologically trustless” systems for sensitive work.